ci: optimize CI/CD with lint and security scans #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [ aicode, master, develop ] | |
| pull_request: | |
| branches: [ aicode, master ] | |
| schedule: | |
| # 每周一早上 6:00 UTC 运行 | |
| - cron: '0 6 * * 1' | |
| jobs: | |
| govulncheck: | |
| name: Vulnerability Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.22' | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
| - name: Run govulncheck | |
| run: govulncheck ./... | |
| gosec: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Gosec Security Scanner | |
| uses: securego/gosec@master | |
| with: | |
| args: ./... | |
| # 渐进式:初期不阻塞 CI,后续修复问题后再强制 | |
| continue-on-error: true | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 |